{"id":43653,"date":"2018-08-30T10:42:05","date_gmt":"2018-08-30T05:12:05","guid":{"rendered":"http:\/\/localhost\/one\/?p=43653"},"modified":"2025-06-17T14:31:49","modified_gmt":"2025-06-17T09:01:49","slug":"personal-data-protection-bill-2018-india-salient-features","status":"publish","type":"post","link":"https:\/\/www.bananaip.com\/intellepedia\/personal-data-protection-bill-2018-india-salient-features\/","title":{"rendered":"SALIENT FEATURES OF PERSONAL DATA PROTECTION BILL, 2018 (INDIA) &#8211; PART 1"},"content":{"rendered":"<p><span style=\"font-size: 12pt;\">The Draft of the Personal Data Protection Bill was released on July 27, 2018 by the Justice Srikrishna Committee, along with its report on Data Protection in India. This Bill incorporates many features of the EU-GDPR modified according to Indian stand on the privacy of individuals. Although not as stringent in its requirements or as widely applicable as the GDPR, the Bill imposes largely similar obligations on the recipients of an individual\u2019s data. The salient features of the Bill include:<\/span><\/p>\n<ul>\n<li><span style=\"font-size: 12pt;\">Categorisation of the individual as the \u201cdata principal\u201d and the recipient of the data as the \u201cdata fiduciary\u201d.<\/span><\/li>\n<li><span style=\"font-size: 12pt;\">Obligation on data fiduciary to collect data only for necessary purposes after satisfying certain conditions.<\/span><\/li>\n<li><span style=\"font-size: 12pt;\">Categorisation of data into personal and sensitive personal data.<\/span><\/li>\n<li><span style=\"font-size: 12pt;\">Transparency and accountability measures<\/span><\/li>\n<\/ul>\n<p><span style=\"font-size: 12pt;\">Data localization requirements<\/span><\/p>\n<ul>\n<li><span style=\"font-size: 12pt;\">Offences and penalties<\/span><\/li>\n<li><span style=\"font-size: 12pt;\">Setting up of a data protection authority and other state authorities for enforcement.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-size: 12pt;\">These features have been briefly discussed below.<\/span><br \/>\n<span style=\"font-size: 12pt;\">Full text of the proposed bill can be accessed <a href=\"http:\/\/meity.gov.in\/writereaddata\/files\/Personal_Data_Protection_Bill,2018.pdf\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/span><\/p>\n<h2><span style=\"font-size: 12pt;\"><strong>Important Definitions <\/strong><\/span><\/h2>\n<p><span style=\"font-size: 12pt;\">Some important terms have been defined in the proposed bill. The simplified version of the said definitions is provided below.<\/span><br \/>\n<span style=\"font-size: 12pt;\"><strong>Data<\/strong> includes information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation, or processing by humans or by automated means. (Refer to Section 3 (12) of the Bill)<\/span><br \/>\n<span style=\"font-size: 12pt;\"><strong>Data fiduciary<\/strong> is the entity which alone or in conjunction with others determines the purpose and means of processing of personal data.<\/span><br \/>\n<span style=\"font-size: 12pt;\">Although the Bill does not expressly state this, it envisions a fiduciary relationship between the data principal and the data fiduciary with respect to data. \u00a0(Refer to section 3 (13) of the Bill)<\/span><br \/>\n<span style=\"font-size: 12pt;\"><strong>Data principal <\/strong>is the natural person whose personal data may be collected and\/or processed. (Refer to section 3 (14) of the Bill)<\/span><br \/>\n<span style=\"font-size: 12pt;\"><strong>Data processor <\/strong>is any entity, including the State, which processes personal data on behalf of a data fiduciary, but does not include an employee of the data fiduciary. (Refer to section 3 (15) of the Bill)<\/span><br \/>\n<span style=\"font-size: 12pt;\">The state may also fall under the ambit of Data fiduciary or Data processor.<\/span><\/p>\n<h2><span style=\"font-size: 12pt;\"><strong>Applicability of the Bill<\/strong><\/span><\/h2>\n<p><span style=\"font-size: 12pt;\">The Bill applies to all parts of India. No exceptions have been made for any state.<\/span><br \/>\n<span style=\"font-size: 12pt;\">This Bill applies where:<\/span><br \/>\n<span style=\"font-size: 12pt;\">(a) personal data has been collected, disclosed, shared or otherwise processed within the territory of India; and<\/span><br \/>\n<span style=\"font-size: 12pt;\">(b) personal data is being processed by the State or any Indian individual or entity.<\/span><br \/>\n<span style=\"font-size: 12pt;\">The Bill also applies to a data fiduciary or processor not present within India, when:<\/span><\/p>\n<ul>\n<li><span style=\"font-size: 12pt;\">It carries out business or offers goods or services in India; or<\/span><\/li>\n<li><span style=\"font-size: 12pt;\">It is involved in profiling of data principals in India.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-size: 12pt;\">The Bill does not apply to anonymized data. (Refer to section 1 and 2 of the Bill)<\/span><\/p>\n<h2><span style=\"font-size: 12pt;\"><strong>Authorities<\/strong><\/span><\/h2>\n<p><span style=\"font-size: 12pt;\">The Bill empowers the Central Government to establish a Data Protection Authority of India (\u201cAuthority\u201d), having a chairperson and six full-time members appointed by the committee consisting of the Chief Justice of India, the Cabinet secretary, and one expert nominated by Chief Justice of India. (Refer to Sections 49 and 50 of the Bill)<\/span><br \/>\n<span style=\"font-size: 12pt;\">The Authority is responsible for protecting the interest of data principals, prevent misuse of personal data, ensure proper compliance with this Bill and promote awareness about data protection. In addition to these general responsivities, the Bill further provide specific functions of the Authority. \u00a0(Refer to Sections 60-67 of the Bill)<\/span><br \/>\n<span style=\"font-size: 12pt;\">To dispose the matters related to penalties the Authority is required to have a separate adjudicating wing, headed by the adjudicating officer. Adjudicating Officers shall be persons of ability, integrity and standing, and must have specialized knowledge of, and not less than seven years professional experience in the fields of constitutional law, cyber and internet laws, information technology law and policy, data protection and related subjects. (Refer to Section 68 of the Bill).<\/span><\/p>\n<h2><span style=\"font-size: 12pt;\"><strong>Obligations of Data Fiduciaries\/ Processors<\/strong><\/span><\/h2>\n<p><span style=\"font-size: 12pt;\">The Bill imposes the following obligations on Data Fiduciaries and Data Processors:<\/span><br \/>\n<span style=\"font-size: 12pt;\">The data fiduciary\/processor can only process personal data for clear, specific and lawful purposes, or for any other incidental purpose that the data principal would reasonably expect the personal data to be used for. (Refer to Sections 4 and 5 of the Bill)<\/span><br \/>\n<span style=\"font-size: 12pt;\">Collection of personal data is limited to data necessary for the purposes of processing. (Refer to Section 6 of the Bill)<\/span><br \/>\n<span style=\"font-size: 12pt;\">Before or at the time of collecting personal data, the data fiduciary must provide to the data principal, clear and concise information related to the purposes of data collection, categories of data collected, right to withdraw consent, period for which data will be retained, etc. (Refer to Section 8 of the Bill)<\/span><br \/>\n<span style=\"font-size: 12pt;\">The data fiduciary must reasonably ensure that personal data processed is complete, accurate, updated, and not misleading, with regard to the purposes for which it is processed. (Refer to Section 9 of the Bill)<\/span><br \/>\n<span style=\"font-size: 12pt;\">The data fiduciary must retain personal data only as long as reasonably necessary to satisfy the purpose for which it is processed, based on periodic reviews. Longer retention is allowed if explicitly mandated, or necessary to comply with any obligation, under a law. (Refer to Section 10 of the Bill)<\/span><br \/>\n<span style=\"font-size: 12pt;\">The data fiduciary is also responsible for complying with all obligations under the Bill in respect of any processing undertaken by any third party. (Refer to Section 11 of the Bill)<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This post examines the principal features of the Personal Data Protection Bill 2018 as proposed in India. It covers definitions, scope, key authorities, and compliance obligations for data fiduciaries and processors in a structured legal format.<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"iawp_total_views":7,"footnotes":""},"categories":[6,95],"tags":[9097,9100,9098,9096,9101,9102,3222,9099],"class_list":["post-43653","post","type-post","status-publish","format-standard","hentry","category-intellectual-property","category-privacy-data-protection","tag-data-fiduciary","tag-data-localization","tag-data-principal","tag-data-privacy-india","tag-data-protection-authority","tag-indian-data-protection-law","tag-personal-data-protection-bill","tag-sensitive-personal-data"],"_links":{"self":[{"href":"https:\/\/www.bananaip.com\/intellepedia\/wp-json\/wp\/v2\/posts\/43653","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.bananaip.com\/intellepedia\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.bananaip.com\/intellepedia\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.bananaip.com\/intellepedia\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.bananaip.com\/intellepedia\/wp-json\/wp\/v2\/comments?post=43653"}],"version-history":[{"count":2,"href":"https:\/\/www.bananaip.com\/intellepedia\/wp-json\/wp\/v2\/posts\/43653\/revisions"}],"predecessor-version":[{"id":136968,"href":"https:\/\/www.bananaip.com\/intellepedia\/wp-json\/wp\/v2\/posts\/43653\/revisions\/136968"}],"wp:attachment":[{"href":"https:\/\/www.bananaip.com\/intellepedia\/wp-json\/wp\/v2\/media?parent=43653"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.bananaip.com\/intellepedia\/wp-json\/wp\/v2\/categories?post=43653"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.bananaip.com\/intellepedia\/wp-json\/wp\/v2\/tags?post=43653"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}